Hotmail, MSN and Amazon Susceptible to Attack via Cross Site Scripting

Released on = July 5, 2006, 5:30 am

Press Release Author = Tamara Borg / Acunetix

Industry = Computers

Press Release Summary = Acunetix WVS protects the loss of sensitive personal data
due to XSS attacks

Press Release Body = London, UK - 05 July, 2006 - A 16 year old Dutch student,
Adriaan Graas, interested in Internet security and web development discovered a hack
for the popular Hotmail free email service via a Cross Site Scripting attack.
Microsoft, is reported to have been aware of this vulnerability for over a week but,
at time of writing, has not yet fixed it.

Hacking hotmail via XSS
When logging into Hotmail, a cookie is created allowing continual access of the user
while within the domain. Hackers may steal such cookies and produce fakes using such
tools as Proxomitron. Since Hotmail cookies are not IP-bound, hackers do not need
the password or the email address of the victim for logging in and accessing
personal emails and other data. Through Cross Site Scripting (XSS) the hacker
inserts JavaScript code that will send the fake cookie to a Web Server with a log
script and the deed is done.

Vulnerabilities in MSN and Amazon left unfixed
Security researcher, Yash Kadakia, frustrated by a lack of response from Microsoft
and Amazon.com, has gone public with details of flaws on MSN and Amazon. Similar to
the Hotmail case, Cross Site Scripting and CRLF (Carriage Return Line Feed)
injection vulnerabilities found in these sites could be used by hackers to steal
\"cookie\" data files allowing them access to Amazon.com and MSN accounts, or to
display a fake login page that could be used in phishing attacks.

Kadakia said he first notified Microsoft of the problem about a year ago but he
wasn\'t taken seriously until late last week, when he posted screen shots of the flaw
being exploited on his Web site. The Amazon.com flaw was discovered in December and
to-date the vulnerability remains un-patched, according to Kadakia.

Sanitizing Web Applications
Acunetix Web Vulnerability Scanner automatically audits web applications and checks
whether these applications are secure from exploitable vulnerabilities to such hack
attacks as Cross Site Scripting and CRLF injection. An automated check of the
Hotmail, Amazon and MSN websites (using Acunetix WVS) could pinpoint these and any
other possible vulnerabilities before it is too late saving the popular companies
from undue embarrassment, loss of reputation and customer trust, and any financial
losses resulting from the attack.

Acunetix provides free audit to help companies determine the security of their websites
Enterprises who would like to have their website security checked can register for a
free audit by visiting www.acunetix.com/security-audit. Participating enterprises
will receive a summary audit report showing whether their website is secure or not.
Summary reports will be delivered within five business days of submission.

About Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically
checking for SQL injection, Cross site scripting, CRLF injection and other
vulnerabilities. It checks password strength on authentication pages and
automatically audits shopping carts, forms, dynamic content and other web
applications. As the scan is being completed, the software produces detailed reports
that pinpoint where vulnerabilities exist.

About Acunetix
Acunetix was founded to combat the alarming rise in web attacks. Its flagship
product, Acunetix Web Vulnerability Scanner, is the result of several years of
development by a team of highly experienced security developers. Acunetix is a
privately held company with headquarters based in Europe (Malta), a US office in
Seattle, Washington and an office in London, UK. For more information about
Acunetix, visit: http://www.acunetix.com; http://www.acunetix.de.

All product and company names herein may be trademarks of their respective owners.

Web Site = http://www.acunetix.com

Contact Details = For more information:
Please email Tamara Borg: tamara@acunetix.com
Acunetix Ltd: Tel: (+44) 0845 6126712; Fax: (+44) 0845 6126716.
URL: http://www.acunetix.com.

  • Printer Friendly Format
  • Back to previous page...
  • Back to home page...
  • Submit your press releases...
  •